[RCU] FYI : RuleID 981248 in modsecurity_crs_41_sql_injection_attacks breaks RC

S.Loewenthal simon at klunky.co.uk
Thu Nov 3 16:17:11 CET 2011

Hi there,

This tripped me up today so thought I shoud add it.

ModSec rule 981248 contained in CRS base rules 
modsecurity_crs_41_sql_injection_attacks will cause RC to break as shown 

[Thu Nov 03 15:57:49 2011] [error] [client] ModSecurity: 
Access denied with code 403 (phase 2). Pattern match 
..." at REQUEST_COOKIES:roundcube_sessid. [file 
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 
1/2"] [data "7or"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag 
"WEB_ATTACK/ID"] [hostname "webmail.example.com"] [uri "/"] [unique_id 

A work around is to add this to the vhost:
SecRuleRemoveById 981248

List info: http://lists.roundcube.net/users/

More information about the users mailing list